DeFi protocol ‘Curve Finance’ loses $570,000 after DNS hack

The automated market maker called Curve Finance has lost about $570,000 after a cyber attack. Hackers successfully changed a project name server and exploited the system.

DNS Spoofing

The hackers have succeeded in adapting the ‘Domain Name System’ (DNS) input of the protocol to its own IP address. Then they could add approval requests to a malicious smart contract. As a result, they managed to loot approximately $570,000.

The protocol continued to run as normal, given that the program itself was not affected by the hack. This is because it is on a different (not hacked) domain name.

The hackers managed to clone the platform as it were thanks to the DNS change. This allowed them to forward all transactions that were carried out for a short period of time to their own addresses. This method is also known as DNS spoofing.

DNS Service Provider Attacked

According to Curve Finance, the hack could take place because their DNS service provider ‘iwantmyname’ was compromised. Since the hack, the Curve Finance team has modified their name server. Such a name server is a server in the DNS that translates domain names into IP addresses and directs traffic over the Internet. Name servers also manage DNS records, each of which associates a domain with one or more IP addresses.

About an hour after the first warning, the cause of the problem was found. The problem was caused by users approving contracts on Curve, but withdrawing them immediately. Although the problem was quickly addressed by the team, the protocol also advised users to use curve.exchange until the distribution of curve.fi returned to normal.

DNS attacks are unfortunately more common. Reportedly, about 90% of financial institutions have experienced at least one such type of attack in the past year. The damage per attack is very different, but averages out to about $1.1 million per attack if it succeeds. Phishing attacks and DNS-based malware are reportedly most prevalent in the financial sector.